Changes between Version 16 and Version 17 of TIEDABACDemo
- Timestamp:
- 07/10/09 20:14:27 (15 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TIEDABACDemo
v16 v17 57 57 Once the edge is present, again, showing that Ted has the GPO.demo attribute is a matter of showing the path. 58 58 59 == Distributed Authorization==59 === Distributed Authorization === 60 60 61 61 In the examples above, creating the paths from principal to attribute that constitute a proof are all done assuming total information in the hands of the prover. ABAC does not require a prover to hold all such information initally and provides a negotiation protocol to gather it. We sketch that protocol here. … … 94 94 * A principal must be able to sign assertions 95 95 96 Any authentication system that establishes a public key meets these requirements, modulo a system to map various key types into a single identifier, e.g. hashing the bits of the keys in a common format. PGP keys and X.509 certificates directly meet those requirements (even self-signed X.509 certificates will do). Systems that attest user attributes, like [ 96 Any authentication system that establishes a public key meets these requirements, modulo a system to map various key types into a single identifier, e.g. hashing the bits of the keys in a common format. PGP keys and X.509 certificates directly meet those requirements (even self-signed X.509 certificates will do). Systems that attest user attributes, like [http://shibboleth.internet2.edu/ Shibboleth ] can attest a public key/principal as an attribute. Such systems have the added utility that they can act as external credential stores as well. 97 97 98 Some principals never attest attributes, e.g., end users. Such users that are only identifiable by something like an InCommon [http://www.incommonfederation.org/attributesummary.html#eduPersonPrincipalName eduPersonPrincipalName] or kerberos name can be converted to the same principal identifier space by hashing the name along with the namespace (Kerberos,InCommon, etc.) into the same hash space as the public-key based systems. Some care must be taken with functions and hashspace sizes, but collisions can be made arbitrarily unlikely.98 Some principals never attest attributes, e.g., end users. Such users that are only identifiable by something like an !InCommon [http://www.incommonfederation.org/attributesummary.html#eduPersonPrincipalName eduPersonPrincipalName] or kerberos name can be converted to the same principal identifier space by hashing the name along with the namespace (Kerberos, !InCommon, etc.) into the same hash space as the public-key based systems. Some care must be taken with functions and hashspace sizes, but collisions can be made arbitrarily unlikely. 99 99 100 100 When possible binding to a public-key-based identifier is infinitely preferred. … … 175 175 176 176 If the environment is open, the GENI principal can simply publish the relevant credential for CTF slice admin (and general) access. Because each requester now knows the beginning of the graph, they are likely to be able to include the whole proof in their first request, removing a round trip time. 177 178 In addition, the completed graph completely reflects the decisions made to grant or deny access. These can be logged as expressive audit trials covering both the decisions and the reasons for those decisions. 179 180 === Conclusions === 181 182 This example has illustrated some of the key features of ABAC that make it scalable to operate and decentralized to administer while being practical to negotiate access.